IBM QRadar

IBM QRadar

Join this online topic group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Write AQl query to sort source IP address based on total event count

  • 1.  Write AQl query to sort source IP address based on total event count

    Posted Mon June 30, 2025 10:12 AM

    Hello Experts,

    I am novice to writing AQL queries, would appreciate if you can provide me the AQL query, to sort source IP address based on total event count. I will build my other queries based on this.

    Thank you very much in advance

    Umamaheshwar



    ------------------------------
    Umamaheshwara Manekar
    ------------------------------


  • 2.  RE: Write AQl query to sort source IP address based on total event count

    Posted Mon August 04, 2025 09:31 AM

    Hi Umamaheshwar,


    Welcome to the world of AQL! If you're looking to sort source IP addresses based on the total event count, here's a basic AQL query you can start with:


    aql

    • Copy
    • Edit
    • SELECT sourceip, COUNT(*) as event_count
    • FROM events
    • GROUP BY sourceip
    • ORDER BY event_count DESC


    This query will:

    • Count the number of events for each sourceip
    • Group them accordingly
    • Sort the result in descending order based on event count


    You can now use this as a foundation and add more filters or conditions as needed.


    Let me know if you need help customizing it further!


    Best,
    RHJ



    ------------------------------
    Rh Jaffery
    ------------------------------



Related Content